Hi there! I been using samba3 with ldap for years, and now im about to move to samba4 to leave the slapd. I didnt try yet to migrate the directory from samba3 to samba4. But i did setup a new domain and everything looks ok. My doubt is related to the configuration of the computers with linux so that they can take advantage of the users and passwords of ldap. But also, groups that are unix exclusive. I didnt find a way to create groups that in samba3 where only unix: smbgroupadd group (withouth the -a) Is this possible? Also, i dont want to install winbind in every workstation to authenticate against samba4. How can i configure pam_ldap and nslcd to validate my users and groups? I did install kerberos and everything seems ok. Tnxs in advance.
On Sat, 01 Jul 2017 11:48:21 -0300 Guido Lorenzutti via samba <samba at lists.samba.org> wrote:> > > Hi there! > > I been using samba3 with ldap for years, and now im > about to move to samba4 to leave the slapd.I take it you mean that you use Samba as an AD DC> > I didnt try yet to migrate > the directory from samba3 to samba4. But i did setup a new domain and > everything looks ok. > > My doubt is related to the configuration of the > computers with linux so that they can take advantage of the users and > passwords of ldap. But also, groups that are unix exclusive.It doesn't work that way, you create groups in AD and then make them Unix groups as well.> > I didnt > find a way to create groups that in samba3 where only unix: > > > smbgroupadd group > > (withouth the -a) > > Is this possible?No, not unless you create a new NT4-style domain and I strongly urge you not go down this path, they are things of the past and Microsoft seems to be trying to make it harder and harder to use them.> > Also, i > dont want to install winbind in every workstation to authenticate > against samba4. How can i configure pam_ldap and nslcd to validate my > users and groups? I did install kerberos and everything seems ok.Why do you want to do this ? The way the Samba code is now written, it needs winbind installed, so you might as well use it. See here for more info on setting up a Unix domain member: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
On Sat, 1 Jul 2017 16:30:25 +0100, Rowland Penny via samba wrote:> On Sat, 01 Jul 2017 11:48:21 -0300 > Guido Lorenzutti via sambawrote:> >> Hi there! I been using samba3 with ldap for years, and nowim about to move to samba4 to leave the slapd.> > I take it you meanthat you use Samba as an AD DC Exactly.>> I didnt try yet to migratethe directory from samba3 to samba4. But i did setup a new domain and everything looks ok. My doubt is related to the configuration of the computers with linux so that they can take advantage of the users and passwords of ldap. But also, groups that are unix exclusive.> > Itdoesn't work that way, you create groups in AD and then make them> Unixgroups as well.> >> I didnt find a way to create groups that in samba3where only unix: smbgroupadd group (withouth the -a) Is this possible?>> No, not unless you create a new NT4-style domain and I stronglyurge> you not go down this path, they are things of the past andMicrosoft> seems to be trying to make it harder and harder to usethem. We used to hide some information from our windows group, to make acls only in unix groups. But well.. i think we can start sharing that info with the domain groups. Also, i dont want to install winbind in every workstation to authenticate against samba4. How ca> ok. > >Why do you want to do this ?> The way the Samba code is now written, itneeds winbind installed, so> you might as well use it. > > See herefor more info on setting up a Unix domain member:> >https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member [2]> > Rowland > > I read that to join a squid proxy to the domain.But its a pain to have to install winbind on every unix I have just to be able to use the same credentials that the samba domain. Before samba4, i was able to use ldap. Samba4 has a ldap like service. There should be a way to use that an ldapsearch, for example. And of course, pam_ldap. Links: ------ [1] mailto:samba at lists.samba.org [2] https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member